{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T12:59:37Z","timestamp":1740142777576,"version":"3.37.3"},"reference-count":29,"publisher":"Oxford University Press (OUP)","issue":"4","license":[{"start":{"date-parts":[[2023,8,7]],"date-time":"2023-08-07T00:00:00Z","timestamp":1691366400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/pages\/standard-publication-reuse-rights"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61936008","61872359","61972393"],"award-info":[{"award-number":["61936008","61872359","61972393"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Climbing Program from Institute of Information Engineering CAS","award":["E1Z0041112"],"award-info":[{"award-number":["E1Z0041112"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,4,21]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>In truncated differential cryptanalysis of symmetric primitives, a generalized framework is to search a distinguisher concerning part of output differences, like truncated differential distribution (TDD) on certain bits (e.g. a nibble) first, and then append several rounds before and after it to recover the secret key. The logarithmic likelihood ratio statistic with respect to the TDD is usually used to distinguish guessed key bits. In this paper, we study how to improve the effect of truncated differential cryptanalysis by considering key schedules of the attacked ciphers. It turns out that for a cipher with a simple key schedule, certain guessed subkey bits may reveal information of the master key, which will help build a stronger TDD distinguisher and reduce the key recovery complexity or attack more rounds. As a result, we explore heuristic techniques to search key-recovery-friendly TDDs and construct automatic search models based on MILP. The refined methods are applied to two recent designs of symmetric primitives, WARP and Orthros, together with peculiarities of their structures as well. For WARP, after making two observations on relations between certain differences with key bits, we propose an algorithm that can find TDDs with low complexities and having potentialities to cover more rounds. Consequently, we launch key recovery attacks on 24 to 27 rounds of WARP. When it comes to Orthros, we present a two-step search algorithm to balance the number of guessed key bits and TDDs, obtaining a key recovery attack on a 7-round variant of it in the weak-key setting. Finally, we perform several verification experiments on round-reduced versions of WARP and Orthros, and the experimental results are consistent with the theoretical distributions and the analysis of generalized key recovery attack framework.<\/jats:p>","DOI":"10.1093\/comjnl\/bxad075","type":"journal-article","created":{"date-parts":[[2023,8,8]],"date-time":"2023-08-08T16:02:36Z","timestamp":1691510556000},"page":"1483-1500","source":"Crossref","is-referenced-by-count":0,"title":["Truncated Differential Attacks On Symmetric Primitives With Linear Key Schedule: WARP And Orthros"],"prefix":"10.1093","volume":"67","author":[{"given":"Shiqi","family":"Hou","sequence":"first","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences , Beijing 100093 , China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , Beijing 100049 , China"}]},{"given":"Baofeng","family":"Wu","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences , Beijing 100093 , China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , Beijing 100049 , China"}]},{"given":"Shichang","family":"Wang","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences , Beijing 100093 , China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , Beijing 100049 , China"}]},{"given":"Hao","family":"Guo","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences , Beijing 100093 , China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , Beijing 100049 , China"}]},{"given":"Dongdai","family":"Lin","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences , Beijing 100093 , China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , Beijing 100049 , China"}]}],"member":"286","published-online":{"date-parts":[[2023,8,7]]},"reference":[{"key":"2024042316183638000_ref1","doi-asserted-by":"crossref","first-page":"272","DOI":"10.1007\/978-3-642-04138-9_20","article-title":"KATAN and KTANTAN - A family of small and efficient hardware-oriented block ciphers","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6\u20139, 2009, Proceedings","author":"Canni\u00e8re","year":"2009"},{"key":"2024042316183638000_ref2","doi-asserted-by":"crossref","first-page":"326","DOI":"10.1007\/978-3-642-23951-9_22","article-title":"The LED block cipher","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop","author":"Guo","year":"2011"},{"key":"2024042316183638000_ref3","first-page":"411","article-title":"Midori: A block cipher for low energy","volume-title":"Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29\u2013December 3, 2015, Proceedings, Part II, Lecture Notes in Computer Science","author":"Banik","year":"2015"},{"key":"2024042316183638000_ref4","first-page":"321","article-title":"GIFT: A small present - towards reaching the limit of lightweight encryption","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2017 - 19th International Conference, Taipei, Taiwan, September 25\u201328, 2017, Proceedings, Lecture Notes in Computer Science","author":"Banik","year":"2017"},{"key":"2024042316183638000_ref5","doi-asserted-by":"crossref","first-page":"5","DOI":"10.46586\/tosc.v2019.i1.5-45","article-title":"CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks","volume":"2019","author":"Beierle","year":"2019","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2024042316183638000_ref6","first-page":"535","article-title":"WARP: Revisiting GFN for lightweight 128-bit block cipher","volume-title":"Selected Areas in Cryptography - SAC 2020 - 27th International Conference, Halifax, NS, Canada (Virtual Event), October 21\u201323, 2020, Revised Selected Papers, Lecture Notes in Computer Science","author":"Banik","year":"2020"},{"key":"2024042316183638000_ref7","doi-asserted-by":"crossref","first-page":"37","DOI":"10.46586\/tosc.v2021.i1.37-77","article-title":"Orthros: a low-latency PRF","volume":"2021","author":"Banik","year":"2021","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2024042316183638000_ref8","first-page":"2","article-title":"Differential cryptanalysis of des-like cryptosystems","volume-title":"Advances in Cryptology - CRYPTO \u201890, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11\u201315, 1990, Proceedings, Lecture Notes in Computer Science","author":"Biham","year":"1990"},{"key":"2024042316183638000_ref9","first-page":"386","article-title":"Linear cryptanalysis method for DES cipher","volume-title":"Advances in Cryptology - EUROCRYPT \u201893, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23\u201327, 1993, Proceedings, Lecture Notes in Computer Science","author":"Matsui","year":"1993"},{"key":"2024042316183638000_ref10","first-page":"196","article-title":"Truncated and higher order differentials","volume-title":"Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14\u201316 December 1994, Proceedings, Lecture Notes in Computer Science","author":"Knudsen","year":"1994"},{"key":"2024042316183638000_ref11","first-page":"1","article-title":"An all-in-one approach to differential cryptanalysis for small block ciphers","volume-title":"Selected Areas in Cryptography, 19th International Conference, SAC 2012, Windsor, ON, Canada, August 15\u201316, 2012, Revised Selected Papers, Lecture Notes in Computer Science","author":"Albrecht","year":"2012"},{"key":"2024042316183638000_ref12","first-page":"291","article-title":"Truncated differential analysis of reduced-round lblock","volume-title":"Cryptology and Network Security - 12th International Conference, CANS 2013, Paraty, Brazil, November 20\u201322. 2013. Proceedings, Lecture Notes in Computer Science","author":"Emami","year":"2013"},{"key":"2024042316183638000_ref13","doi-asserted-by":"crossref","first-page":"156","DOI":"10.46586\/tosc.v2021.i1.156-184","article-title":"Towards key-recovery-attack friendly distinguishers: application to GIFT-128","volume":"2021","author":"Zong","year":"2021","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2024042316183638000_ref14","doi-asserted-by":"crossref","first-page":"249","DOI":"10.46586\/tosc.v2021.i2.249-291","article-title":"Automated search oriented to key recovery on ciphers with linear key schedule applications to boomerangs in SKINNY and forkskinny","volume":"2021","author":"Qin","year":"2021","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2024042316183638000_ref15","first-page":"3","article-title":"Key guessing strategies for linear key-schedule algorithms in rectangle attacks","volume-title":"Advances in Cryptology - EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30\u2013June 3, 2022, Proceedings, Part III, Lecture Notes in Computer Science","author":"Dong","year":"2022"},{"volume-title":"Optimizing rectangle attacks: A unified and generic framework for key recovery","year":"2022","author":"Song","key":"2024042316183638000_ref16"},{"key":"2024042316183638000_ref17","first-page":"42","article-title":"MILP based differential attack on round reduced WARP","volume-title":"Security, Privacy, and Applied Cryptography Engineering - 11th International Conference, SPACE 2021, Kolkata, India, December 10\u201313, 2021, Proceedings, Lecture Notes in Computer Science","author":"Kumar","year":"2021"},{"key":"2024042316183638000_ref18","first-page":"103316","article-title":"Differential cryptanalysis of WARP","volume":"70","author":"Teh","year":"2022","journal-title":"J. Inf. Secur. Appl."},{"key":"2024042316183638000_ref19","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1007\/978-3-031-17433-9_9","article-title":"Automated key recovery attacks on round-reduced orthros","volume-title":"Progress in Cryptology - AFRICACRYPT 2022: 13th International Conference on Cryptology in Africa, AFRICACRYPT 2022, Fes, Morocco, July 18\u201320, 2022, Proceedings Lecture Notes in Computer Science","author":"Li","year":"2022"},{"key":"2024042316183638000_ref20","doi-asserted-by":"crossref","first-page":"92","DOI":"10.46586\/tosc.v2022.i2.92-112","article-title":"Integral cryptanalysis of WARP based on monomial prediction","volume":"2022","author":"Hadipour","year":"2022","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2024042316183638000_ref21","doi-asserted-by":"crossref","first-page":"113","DOI":"10.46586\/tosc.v2022.i2.113-140","article-title":"Automatic search of rectangle attacks on feistel ciphers: application to WARP","volume":"2022","author":"Lallemand","year":"2022","journal-title":"IACR Trans. Symmetric Cryptol."},{"article-title":"Improved the automated evaluation algorithm against differential attacks and its application to warp. EasyChair Preprint no. 8736","year":"2022","author":"Shi","key":"2024042316183638000_ref22"},{"key":"2024042316183638000_ref23","first-page":"1","article-title":"Constructing the impossible differential of type-ii gfn with boolean function and its application to warp","volume":"32","author":"Shi","year":"2022","journal-title":"Chin. J. Electron."},{"article-title":"Key-recovery attacks on craft and warp (full version). Cryptology ePrint archive, paper 2022\/997","year":"2022","author":"Sun","key":"2024042316183638000_ref24"},{"key":"2024042316183638000_ref25","first-page":"432","article-title":"How far can we go beyond linear cryptanalysis?","volume-title":"Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5\u20139, 2004, Proceedings, Lecture Notes in Computer Science","author":"Baign\u00e8res","year":"2004"},{"key":"2024042316183638000_ref26","doi-asserted-by":"crossref","DOI":"10.2307\/3538355","volume-title":"The advanced theory of statistics","author":"Kendall","year":"1961"},{"key":"2024042316183638000_ref27","first-page":"158","article-title":"Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers","volume-title":"Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7\u201311, 2014. Proceedings, Part I, Lecture Notes in Computer Science","author":"Sun","year":"2014"},{"key":"2024042316183638000_ref28","first-page":"17","article-title":"Markov ciphers and differential cryptanalysis","volume-title":"Advances in Cryptology - EUROCRYPT \u201891, Workshop on the Theory and Application of of Cryptographic Techniques, Brighton, UK, April 8\u201311, 1991, Proceedings, Lecture Notes in Computer Science","author":"Lai","year":"1991"},{"key":"2024042316183638000_ref29","doi-asserted-by":"crossref","first-page":"291","DOI":"10.1007\/s00145-005-0129-3","article-title":"Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials","volume":"18","author":"Biham","year":"2005","journal-title":"J. Cryptol."}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/67\/4\/1483\/57295988\/bxad075.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/67\/4\/1483\/57295988\/bxad075.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,23]],"date-time":"2024-04-23T17:12:38Z","timestamp":1713892358000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/67\/4\/1483\/7238220"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,8,7]]},"references-count":29,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2023,8,7]]},"published-print":{"date-parts":[[2024,4,21]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxad075","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"type":"print","value":"0010-4620"},{"type":"electronic","value":"1460-2067"}],"subject":[],"published-other":{"date-parts":[[2024,4]]},"published":{"date-parts":[[2023,8,7]]}}}